- Why Cleafy
- ResourcesgDocumentsInsightsCleafy LabsEventsWebinarResources
- Get in touch
At the end of October 2021, a new Android banking trojan appeared on Cleafy's telemetries. Since the lack of information and the absence of a proper nomenclature of this malware family, we decided to dub it SharkBot to better track this family inside our internal Threat Intelligence taxonomy.
SharkBot belongs to a “new” generation of mobile malware, as it is able to perform ATS attacks inside the infected device. This technique has been already seen recently from other banking trojans, such as Gustuff. ATS (Automatic Transfer System) is an advanced attack technique (fairly new on Android) which enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices. Contrary to TeaBot and Oscorp/UBEL where a live operator is required to insert and authorize a money transfer, with ATS technique Threat Actors can scale up their operations with minimum user intervention. We assume that SharkBot is trying to bypass behavioural detection countermeasures (e.g.,biometrics) put in place by multiple banks and financial services with the abuse of Android Accessibility Services, also bypassing the need of a “new device enrollment”.
Moreover, SharkBot appears to have all the main features of nowadays Android banking trojan achieved by abusing Accessibility Servicessuch as:
At the time of writing, we didn’t notice any samples on Google's official marketplace. The malicious app is installed on the users' devices using both the side-loading technique and social engineering schemes.
Thanks to an in-depth analysis of several samples related to SharkBot, we collected 22 different targets including international banks from UK and Italy and 5 different cryptocurrency services, as shown in the following Figure 2:
SharkBot, is a new generation Android banking trojan, discovered by Cleafy Threat Intelligence team at the end of October 2021. The name “SharkBot” comes from multiple strings found in its binaries, which contain the word “sharked”.
SharkBot hides itself with common names and icons posing as a legitimate application to the victims, as shown in Figure 3.
However, during its installation, SharkBot immediately tries to enable Accessibility Services that keep being requested persistently with fake pop-ups until the victim accepts.
Once the malicious app has been installed, no icon is displayed on the device and SharkBot is able to get all the permissions needed (declared inside the AndroidManifest file) thanks to the accessibility services enabled. This is done by clicking instantly on the popup shown to the user.
With the permissions shown in Figure 5, SharkBot is able to read/send text messages, perform overlay attacks and, with the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission, it is able to bypass Android's doze component and stay connected to the C2 servers to continue its malicious behavior.
At the time of writing, Sharkbot seems to be still under development as the very first samples tracked down at the end of October use:
So far, SharkBot has a very low detection rate by antivirus solutions (only 3/62), as shown by Figure 7. This means that the malware has been written from scratch, in addition to the fact that it uses an external module, downloaded from the C2, containing the ATS core functionalities and anti-detections technique used to slow down the static and dynamic analysis.
Analysing the underground hacking forums, we didn’t find any references to this malware. This makes us think that SharkBot is still a private botnet.
 http://www.allatori.com/ (*Allatori is a legitimate software)
SharkBot uses different anti-analysis and detection techniques, in particular:
Although SharkBot has an ATS module, it also has some common features present in other banking trojan, in particular:
Android’s Accessibility Service has been historically abused by multiple banking trojans (e.g., TeaBot, Oscorp/UBEL) for conducting multiple malicious actions in the infected device. SharkBot, similar to Gustuff, is able to abuse Accessibility Service enabling ATS attacks inside the infected device.
ATS (Automatic Transfer System) attacks enable TA to auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices to a money mule network controlled by TA or other affiliates. This makes it possible to scale up their operations with minimum user intervention.
For a bank perspective, mobile ATS attacks are very hard to identify and handle since typically:
Once a victim has granted accessibility permissions, all the contents shown in the device screen can be intercepted and manipulated by SharkBot. Those capabilities are gained through Android AccessibilityEvents which are events that are sent by Android OS when something notable happens in the user interface. In fact, the main purpose of an accessibility event is to communicate changes in the UI to an AccessibilityService.
SharkBot appears to have interest only on a specific subset of accessibility events, which are the following:
We can group all the accessibility events intercepted by SharkBot as follows:
SharkBot has already implemented various functions which are been used for parsing all the data extracted from the UI, save them into a JSON format and exfiltrate them to the designed C2 server:
TA can also passively logs all the exfiltrated information from each infected device and enriching them with detailed information useful for a further ATS attack, such as account balance(s), enabled 2FA/SCA/MFA mechanisms, cash-out availability (e.g. SEPA, Instant payments), etc.
Once the ATS attack is remotely requested by TA, SharkBot will start interacting with the infected device and auto-fill fields in legitimate mobile banking apps and initiate money transfers. During this phase TA can also interact with the targeted application simulating gestures and clicks, if required.
With the discover of SharkBot we have shown new evidence about how mobile malwares are quickly finding new ways to perform fraud, trying to bypass behavioural detection countermeasures put in place by multiple banks and financial services during the last years.
Like the evolution of workstation malwares occurred in the past years, also in the mobile field we are seeing a rapid evolution towards more sophisticated patterns like ATS attacks.
The following table summarize the list of all the commands found in SharkBot during the technical analysis: